 Hello everyone, today I'll be talking about my work on post-quantum multi-party competition in constant rounds and this is joint work with James Bartusik, Vipul Goel, Dakshita Kaurana and Julia Malavut and I would like to thank James for letting me use the slides. So let me start by giving some background. So we all know that security of our cryptographic schemes rely on the existence of computationally hard problems. For example, the RSE system relies on the difficulty of factoring product of large pranks. But with quantum computers the situation is quite different because these quantum computers can represent information in terms of qubits and can exploit quantum mechanics such as superposition and entanglement to process information much faster than what classical computers can do. And indeed some of you might have heard of Shor's quantum polynomial time factoring algorithm which can be used to break the RSE cryptosystem. So with that this initiates the study of post-quantum cryptography where we want to design classical protocols. So protocols which can be run on classical computers but are still secure even against quantum attacks. And this requires two ingredients. First, we need the existence of quantum hard problems. For example, lattice based crypto. And the second ingredient that we need are new kind of security proofs. So what do I mean by these new security proofs? Most classical security proofs against malicious adversaries require a technique called revinding. And this form of classical revinding doesn't directly work in the quantum setting due to a well-known no cloning theorem. With state stats given that given an arbitrary quantum state, you cannot make two copies of the same quantum state. And this is what this work will be about. How to create new kind of security proofs to realize general purpose multi-party computation against quantum adversaries in constant rounds. So let me give an overview of the known simulation techniques both in the classical and quantum literature. So the first well-known technique is revinding as we might know about. And this was the first classical technique that was used to construct classical malicious wave higher zero knowledge proofs. There is an adaptation of this technique in the quantum setting by John Watris. But this requires polynomially many rounds. Then we have the non-blackbox simulation technique by Barak from 2001. However, even in this kind of simulation, the simulator has to clone the adversaries state. So this kind of simulation is not quantum friendly. Then we have this recent paradigm called homomorphic trapdoor paradigm. And this was initiated in the work of Bitansi Khurana Pane from 2019, which is a non-blackbox simulation technique where you assume that the simulator knows the code of the adversary. And this was used to create constant round post quantum zero knowledge proofs recently. And in this work, we extend the same kind of proof techniques to build general purpose multi-party computation in constant rounds, which crucially doesn't clone the adversaries state in the simulation proof. So with that, let me give you some background on what the setting of MPC is. So we have a set of parties each with the private inputs. And the goal is that they want to compute a function C on the private inputs by interacting with each other. The adversary might curb some subset of these parties indicated in red. And the security guarantee that we want is that the adversary should not learn anything about the private inputs of honest parties, apart from what it can reduce based on the fine, the output of the functionality. And the type of adversary that is generally considered in the literature is polynomial time adversary with static corruptions, arbitrary malicious behavior with dishonest majority. And there is a long line of works targeting this setting. But in our work, we want security against quantum polynomial time adversaries. There has been some work in literature on how to get security in the two-party setting. However, in the multi-party setting, this has been largely unexplored, especially in the constant round setting. So our approach towards this problem is the following. So we observed that there are no classical protocols which are constant round MPC, assuming there is a trusted setup phase. And these works are based on gavel circuits and multi-key FH. And moreover, when you instantiate these classical secure protocols with post-quantum secure primitives such as SSP, OT, and NISIC, you get post-quantum secure MPC, but with a trusted setup. So what is this trusted setup? So the trusted setup is basically a common random string. And what one needs to do in the security group is that the simulator of the common random string programs it. And thereafter, the simulation is completely straight line. So we observed that the entire approach boils down to building a constant round fully simulatable coin flipping protocol, which is secure against quantum adversaries. And once you have that, you can use that simulator to program CRS. And thereafter, the simulation is entirely straight line. So now with that, let me start by giving an overview of multi-party fully simulatable coin tossing. So we have a bunch of parties, and the functionality is that they all want to output some random string R. And the natural protocol template for realizing this functionality is that each party can just locally sample a uniformly random string R and broadcast a commitment to it. Then in the second round, each party broadcasts the opening value of this commitment. In the third round, they prove that the opening value is consistent with their commitments using a zero-knowledge proof. And if all the proofs verify, each party outputs the XOR of all the open values. So now in the constant round multi-party setting, what we want is that the first phase where each party commits to its random value R i should be a multi-party constant round extractable commitment. Not just that, we also want that the third step should be a multi-party constant round zero-knowledge proof. So now let me give and let me note that this task of creating multi-party constant round extractable commitments is the major challenge that we face in our work. And this is challenging in the quantum setting. So let me give an brief overview of what extractable commitments are. So these are just like regular commitments where a committer, there's a committer, a receiver, a committer wants to commit to some message. And let's say C is the commitment string. So we have the usual hiding property that C shouldn't reveal anything about the message of the committer during the commitment phase and binding that the committer C shouldn't be able to open his commitment to a different message in the opening phase. Along with that, we have this additional property called extractability, which demands that there exists an efficient extractor machine, E, which can interact with the committer, malicious committer during the commit phase and output the message that this is trying to commit to. Now, in the quantum setting, we have, as I mentioned, we have this no cloning barrier that we cannot clone the state of the adversary. And all classical extraction techniques rely on rebinding or some form of cloning. But we observed that there is this recent line of works which build non-cloning straight line extractors using non-backbox simulation ideas. And the crucial tool that these works use is fully homomorphic encryption and compute and compare obfuscation. And so let me describe these tools and I'll describe what their technique is because our technique crucially extends on their technique to the multiparticle. So let's start with what the fully homomorphic encryption ingredient is. So we have a client and the server. So Alice is the client. He has some private input X that he is wanting to commit to, that he wants to compute upon. So client can generate a public secret key pair, encrypt his private input using the public key and send it to the server. The server can take the ciphertext and do a homomorphic evaluation on the ciphertext to produce an evaluated ciphertext C star and return it back to the client. The client can then locally decrypt its evaluated ciphertext and the correctness property ensures that the output of the decryption is actually the evaluation of the function on the private input. So now let's look at what compute and compare obfuscation is. So this kind of obfuscation takes in a special kind of program called compute and compare program, which I've denoted by CC over here. And it has three parameters. So the first parameter is a function F, some hard coded function F. The second parameter is some log value. And the third parameter is some message M. And the functionality of this program is that it takes in an input X evaluates the function on this input X. And if the output is the log value, then it returns the message. Otherwise it returns an error. So this is what a compute and compare program is. The obfuscator lets us obfuscate these special kind of programs into and convert them into an obfuscated program, which looks like complete garbage. And this obfuscated program has the same functionality as the original program, but it is computationally indistinguishable from a program which always returns error message. So now let me describe what the homomorphic trapezoid paradigm is that is used in this work to build a non-revinding no cloning extraction technique. So we have a committer who is trying to commit to some message M and a receiver. So as a first step, the committer samples an FHE key pair, a trapdoor and a log value. And then it computes an encryption of the trapdoor. Then it prepares this special compute and compare program, where the hard coded function is the decryption circuit of the FHE. And there is this log value that it sampled earlier, and the output is just the secret key of the FHE along with the message. So if you manage to input a value which decrypts to the lock value, then you get the secret key and the message. This is what the compute and compare program will do. Now the committer obfuscates this program and calls and gets cc tilde and then sends a triplet consisting of the FHE public key, the encrypted trapdoor and the obfuscated program to the receiver. In the second round, the receiver tries to take a guess at what the trapdoor might do, which we'll call tt prime. And then the committer on receiving this guess checks whether the guess is correct. And if so, it returns the log value that it sampled earlier. Otherwise it just returns what. Now it's clear that this commitment scheme is actually hiding because the semantic security of the FHE scheme ensures that a malicious receiver cannot guess the trapdoor in the second round. And so the lock value from the obfuscated program will be completely hidden from its view. And therefore cc tilde will hide the message. Now let me talk about how an extractor which has access to the code of the adversary, which is the malicious committer, and still manage to extract the message m out of it. So as a first step, extractor runs the first round of the malicious committer on some initial state st reaches some intermediate state st prime and manages to get triplet out of the adversary. So this triplet consists of the FHE public key, the encrypted trapdoor and the obfuscated program just like before. Now in the second round, the extractor has to take a guess at what the encrypted trapdoor is. But he cannot do so just like an honest committer cannot guess it in the real world. The extractor cannot guess it. But what it can do is guess the trapdoor under the hood of FHE. So in the second round, the extractor will execute this last step of the malicious committer under the hood of FHE, which means that it will run the eval function on this fourth step using the encrypted trapdoor as input. And what it manages to get is an encrypted third round message. And this third round message is indeed the log value because under the hood of FHE the guess was correct. So it gets encryption of the actual log value along with an encryption of the final state of the adversary which is st double prime. Now the extractor can use this encrypted log value, feed it into this obfuscated cc tilde program and get out the secret key and the message because if you look at the obfuscated the computer and compare program evaluating the decryption circuit on this encrypted log indeed gets gives you the log value. So the output will be the secret key and the message. Now it has already got the message M. As a last step, the extractor uses the secret key to decrypt the encrypted final state in order to receive a plaintext version of the final state of the adversary and also outputs this final state along with the extractor message. Now this homomorphic traptor paradigm has been useful to construct constant run post quantum zero knowledge, thus improving upon the polynomial run quantum zero knowledge protocols of waters and in this work we basically explore whether this extraction technique can also be used in the multi-party setting where we want to do multi-party coin and the main challenge in our work was basically how can we ensure that the extractor can extract simultaneously from multiple parallel committers so an adversary which is corrupting multiple committers. How can the extractor manage to manage to extract from all of them simultaneously? So let me motivate the problem a bit more. So let's try to run the same technique as before on two committers. So the adversary here is corrupting two committers in parallel and let's say the extractor runs the same procedure as before, reaches an intermediate state sd prime and managed to get now two triplets of public key encrypted trapdoor and office kitted program. Now it can try to take a guess at what these trapdoors is in the second round by doing the same trick as before and trying to evaluate the last step of the adversary under the hood of FHG. But the challenge is that it has individual encryptions of tractors. So these are separate encryptions of tractor under separate public keys, but the extractor has got only one chance of doing the evaluation. So it has to do a single evaluation of the adversary on both these inputs, the encrypted trapdoor one encrypted trapdoor two and get out the log values, encrypted log values. But what should be this evaluation upon so in the last in the previous scheme, we saw that this was just the FHG evaluation. But now we have two inputs encrypted on the different public keys. So a natural way to resolve this is to use multi key FHG, which is like a generalized form of FHG in the multi client setting. So you have multiple clients, each with the individual public secret key pairs and their private inputs, they can encrypt their inputs under their own public keys and send the ciphertext to the server. The server can do a homomorphic evaluation on the ciphertext under a joint public key. And get out of evaluated ciphertext C star, which it can then send to clients. The clients can now locally run a partial decryption protocol on the these ciphertexts on the evaluated ciphertext to get out some some output. And this output should be interpreted as a partial output. And the key property is that these partial decryption outputs are actually additive secret shares of the actual output of the function on the private inputs of all parties. So this is what is known as the spooky property in this multi key FHG setting. And this is achieved by this work by Dodie Zakhar. And so our main idea is that we can run this homomorphic evaluation step on the adversary under using multi key FHG on the joint public key of both the committers. So and then get out encrypted third round messages. But the problem is not quite solved, because what we actually get is an encryption of the two log values and the final state under the joint public key. So this is still better than before, but not complete because to take advantage of the office catered programs and get the actual message out, what we actually want is an encryption of the individual locks under the individual public keys, not joint public keys. And so what the extractor has is an encryption of the two lock values under joint public keys, along with the office catered programs, and it needs to recover both the secret keys and the both the messages. So our idea is that as a first step, what we can do is convert these multi key cipher texts under the joint public key into a nested form where the locks are first encrypted under PK2 and then under PK1. And we'll see later how this can be done, but for now assume that this can be done efficiently. Once we have this, what we can use what we can do is take the second encryption. So we have locked two encrypted under PK2 and then under PK1 take this and evaluate CC2 tilde on this input homomorphically under the hood of public key one. So what we are indeed doing is we are feeding CC2 and encrypted lock, a nested encrypted lock to value under the hood of public key one. And what we will get as output is the secret key two, but because we did a homomorphic evaluation, this will also be under the hood of public key one. But now what we can do is take this secret key two, which is encrypted under PK1 and peel off the inner layer of encryption from this first nested cipher text. So what we can do is take the nested encryption of lock one and the secret key two, which is encrypted in a PK1 and peel off the inner layer by evaluating the decryption circuit of FHE2 under the hood of FHE1. Now what we get is an encryption of lock one under PK1, which can directly be evaluated on CC tilde one program to get out the actual secret key one and the actual message one. And this can be done symmetrically to extract secret key two and message two as well. So now let me complete by mentioning how we can convert from this joint public key encryption to a nested encryption. So we do this by relying on the AFS spooky property of the multi key FHE. So in this kind of FHE and an evaluated cipher text, so imagine an encryption of lock one under joint public key PK1, PK2 is of the following form. So we have a pair each encrypted individually and the PK1 and PK2 and the Z1 and Z2 are actually secret shares, additive secret shares of the actual log value. So this is the spooky additive function sharing property. So once we have this property, we can use it to convert the W and the joint encryption into a nested encryption in the following way. So we take the we take the first half of the pair. So first share encryption share and do two layers of homomorphic evaluation. So we first go under PK1 and then go under PK2 and XOR Z1 into Z2. And what we get as output is because even XOR Z2 is lock one, we get lock one encrypted under PK2 and then under PK1 because we went two layers down. As a side note, I would like to mention that since our adversary is quantum, so we need a multi key FHG scheme which works against with which works with supports evaluation of quantum circuits and not just classical circuits. And we do this by combining single key FHG schemes with support quantum circuits and multi key FHG schemes with support classical circuits. We combine these two techniques in order to construct multi key FHG scheme supporting evaluation of quantum circuits. And I would not go into details. You are encouraged to look into the paper for this. So now this completes a construction of constant on extractable commitments in constant rounds against quantum adversaries. And we note that this directly gives us constant on zero noise proofs as well in the multi party setting by relying on existing techniques in the literature. So now our coin flipping template is almost complete. So we replace the first round with a parallel extractable commitment and the third round with a parallel zero noise proof. However, there is a slight malability issue. So note that an adversary which is receiving a parallel extractable commitment from an honest player to some value R1 can create a parallel extractable commitment to some value R2 in such a way that R2 has some dependence on R1. For example, R2 can just be R1 plus 1. And this is bad because this can bias the outcome, the outcome of the protocol. So the final outcome R might not be uniformly random and we need to ensure that this that is the case in order for the security proof to go through. So to do that we rely on post quantum constant round non-malable commitments, which is also something that we construct in this paper. So we do that by relying on erasure channel based constant round non-malable commitments. So these are classical commitments from this work by Corona and Sahay. And the well-known tag amplification technique from the left of now. We combine these two techniques to construct post quantum constant round non-malable commitments in our paper. So with that, a final coin flipping protocol looks like before, but we have an additional step in the beginning where each party sends a non-malable commitment to the value Ri and the randomness that they plan to use in the parallel extractable commitment. So they send a non-malable commitment to both these things and this sort of ties the extractable commitment to the non-malable commitment, this Ri and Si, which helps a security proof program. So with that, our final result is that there exists a constant round MPC protocol in the plain model, which is secure against quantum polynomial time adversaries, assuming an LWE based circular security assumption, which is what we use in order to construct this quantum multi-key FHE with spooky property. And this in turn lets us create constant round Pal X extractable commitments, which is quantum secure and constant round Pal L zero noise proofs, which is also quantum secure. And the second assumption that we rely on is a mildly super polynomial hardness of LWE, by which we mean that there exists some constant C such that no QBT adversary has advantage better than lambda raised to iterated log of lambda C times in distinguishing LWE samples from uniform. And we use this assumption in order to build post-quantum constant round non-malable commitments. And with that, I conclude my talk. Thanks for listening.